Thanks for quick reply Difference is in version number, mine is 4.3.30(3), your 4.3.30(2)
[root@e-mail wojtek]# bash --version GNU bash, version 4.3.30(3)-release (i686-pc-linux-gnu) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. [root@e-mail wojtek]# (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno" bash: line 2: `x{1..200}': not a valid identifier CVE-2014-7187 vulnerable, word_lineno This code is not mine, refer to: http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/ Exploit 5. The standard version of shellshock was ignored by me as hard to use for real remote attack. It was very short time to see I was wrong, so this time I want to be sure :) Regards, Wojtek -----Original Message----- From: Chet Ramey [mailto:chet.ra...@case.edu] Sent: Friday, October 10, 2014 3:37 PM To: Nabiałek, Wojciech; bug-bash@gnu.org Cc: chet.ra...@case.edu Subject: Re: CVE-2014-7187 On 10/10/14, 4:03 AM, Nabiałek, Wojciech wrote: > Hi, > > Bash 4.3 after patch 30 is still vulnerable for shellshock CVE-2014-7187. No, it's not. > (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; > do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno" I'm curious about what you think this demonstrates, but in the meantime: $ ./bash --version GNU bash, version 4.3.30(2)-release (x86_64-unknown-linux-gnu) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. $ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | ./bash $ echo $? 0 Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/